cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
274
Views
0
Helpful
2
Replies

ASA5515 AnyConnectVPN to Internet

Johnni211
Level 1
Level 1

Hello

I would like to reach a sip proxy via vpn. My vpn pool is 10.201.252.1-254 and i see the followings in the log:

"Deny UDP reverse path check from 10.201.252.53 to 10.201.252.255 on interface inside"

Routing table:

S*    0.0.0.0 0.0.0.0 [1/0] via 7.8.9.10, outside
S        10.201.0.0 255.255.0.0 [2/0] via 10.201.254.2, inside
C        10.201.0.0 255.255.255.0 is directly connected, voip
L        10.201.0.1 255.255.255.255 is directly connected, voip
C        10.201.20.0 255.255.255.0 is directly connected, guest
L        10.201.20.1 255.255.255.255 is directly connected, guest
S        10.201.252.53 255.255.255.255 [1/0] via 7.8.9.10, outside
S        10.201.252.54 255.255.255.255 [1/0] via 7.8.9.10, outside
C        10.201.254.0 255.255.255.0 is directly connected, inside
L        10.201.254.1 255.255.255.255 is directly connected, inside

Do you have any idea?

Thanks, Johnni211

2 Replies 2

From:

https://supportforums.cisco.com/discussion/9935866/deny-udp-reverse-path-check

It means that inside interface received a packet from network that is NOT in firewall routing table...

Its enabled with command

ip verify reverse-path interface inside

You can disable this feature with command

no ip verify reverse-path interface inside

In this case i get the followings:

Deny inbound UDP from 10.201.252.56/138 to 10.201.252.255/138 on
interface inside

But the acl:

access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip any any log warnings
access-group inside_access_in in interface inside

What is your opinion?

Thanks you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: